[Samba] winbind problems

John Hodrien johnh at comp.leeds.ac.uk
Wed Sep 17 14:42:45 GMT 2008


On Wed, 17 Sep 2008, Waltari Harri wrote:

> Does using "winbind enum ..." affect functionality somehow, like
> performance-wise? Only difference I've noticed is that "getent xxx" does
> not return AD users or groups, but eg. "getent group ad-group" does.
> Still, setting permissions works for AD users. Are there any other
> implications if it is left out?

It does exactly what you've observed.  It's not a behaviour that applications
appear to rely on.  With a large AD you have no alternative but to not
enumerate groups (especially if you're flattening nested groups).  I've had no
problems with enum off, and lots of performance problems with enum on.

Be a member of 100 groups (some of which contain >75000 users) and issue "id".
With enum logic on (whether in winbind or nss_ldap) it's not pretty.

jh

-- 
"Four boxes to be used in defense of liberty: soap, ballot, jury, ammo - use
  in that order."                                    -- Ed Howdershelt


More information about the samba mailing list